On 11/04/2016 03:09 PM, Sebastien Julliot wrote:
> Hello everyone,
> As I explained you some time ago, I have been skirting the ipa's
> limitation to setting pre-hashed passwords by using ldappasswd. (I know
> you guys think it's wrong. In this case the hashes come from an other
> ldap which, for intern reasons, we can not synchronize with otherwise
> than by frequent ldif extractions. So it's the only solution to have
> unified passwords)
> To have the kerberos key generated, I can ask the users to do an
> ldapsearch or to ssh on a machine with sssd enabled.
> Yet, as most users will mainly want to use the WebUi, I am looking for a
> way to have them able to connect to it without needing to do an
> ldapsearch first.
> To be precise, I set the userPassword field using ldappasswd, and delete
> the krbprincipalkey.
> Do you see any way to make the webui directly authenticable ?
> Sebastien Julliot.
Not sure what you want exactly. But if you want users to do simple ldap
bind with username and password and nothing else then they can use
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project